The Hacker News — Cyber Security, Hacking, Technology News

A New York-based online ad network company AppNexus, that provides a platform specializing in real-time online advertising, has again been spotted as the origin of a recent "malvertising" campaign that makes use of the Angler Exploit Kit to redirect visitors to malicious websites hosting the Asprox malware.

AppNexus servers process 16 billion ad buys per day, making it the biggest reach on the open web after Google. Back in May, AppNexus was serving malicious ads targeting Microsoft’s Silverlight platform. The world’s largest Internet Video Subscription service Netflix runs on Silverlight, and because of its popularity, hackers have been loading exploit kits with Silverlight.

As part of this campaign, users of several high-profile websites including Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl, last week were redirected to websites serving malicious advertisements that infected visitors by installing botnet malware on their computer, said security company Fox-IT.

“These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware,” researchers at Fox-IT said in a blog post.

Angler exploit kits are available on the underground black forums and are used in various malicious campaigns to own websites and redirect users off to websites hosting banking malware and other types of malicious code in order to victimize them.

“Please note, a visitor does not need to click on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser,” researchers warned.

According to the Researchers, Angler first checks whether the victim’s browser supports an outdated versions of Java, Adobe Flash Player or Microsoft Silverlight, and then silently install a variant of the Asprox botnet malware.

Asprox is generally a spam botnet that was involved in multiple high-profile attacks on various websites in order to spread malware. The malware recently has been modified for click-fraud and cyber criminals are using it to spread malware through email attachments with exploit kits. It also has other malicious functionality including scanning websites for vulnerabilities and stealing log-in credentials stored on computers.

“Asprox has gone through many changes and modifications which includes spam modules, website scanning modules and even credential stealing modules,” Fox-IT said. “This history and current events show Asprox is still actively being developed and used.”

Once visited on a site hosting the malicious ad, users are redirected in the background to ads[.]femmotion[.]com, which then redirects to the exploit kit on a number of other domains, the gloriousdead[.]com and taggingapp[.]com.

“All the exploit kit hosts were observed using port 37702. Running exploit kits on high ports at best prevents certain network tools from logging the HTTP connections, as these are typically configured to monitor only HTTP ports,” Fox-IT said. “It does mean this exploit kit is blocked on a lot of corporate networks as they do not allow for browsing outside the normal HTTP ports, port 80 (or proxy ports) and 443 for SSL.”

In order to show targeted advertisements to users, advertisers engage in an automatic, real-time bidding process, which makes malicious advertisements more difficult to track. “In the case of this malvertising campaign the malicious advertisers were the highest bidders,” Fox-IT says.

Hackers used a method called “retargeting”, which is actually used by Digital Advertising agencies to rotate the ads shown to the same visitor when they access a specific page multiple times.

“The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain adprovider is retargetted from the original advertisement content on the website to the modified or personalized data,” Fox-IT researchers said. “We have seen examples where the website that helped with the ad redirect to infect a user had no idea it was helping the delivery of certain content for a certain ad provider.”

Microsoft today reissued a security update for Windows to the faulty update that previously caused PCs to suffer Blue Screens of Death (BSoD).

The new security update comes almost two weeks after reports emerged that the dodgy update crippled users’ computers with the infamous “Blue Screens of Death.” The company later advised people to uninstall the update, but now it has fixed the issue.

"This month we had our first roll out with additional non-security updates. A small number of customers experienced problems with a few of the updates," Tracey Pretorius, director of Microsoft Trustworthy Computing, wrote in a blog post.

"As soon as we became aware of some problems, we began a review and then immediately pulled the problematic updates, making these available to download. We then began working on a plan to re-release the affected updates."

The offending Microsoft patch identified as MS14-045, fixes Windows kernel vulnerabilities in 47 of Microsoft's systems which the company marked as important, can cause system crashes forcing users to reboot it.

Soon after the initial release of the patch, the issue surfaced on Microsoft’s support forum where customers started posting messages on an eventually-lengthy thread saying that their systems, specially users running Windows 7 PCs with the 64bit version, had been bricked with an error message and ensuing "Blue Screen of Death."

This update flashed a message on the screen that reads: “Your PC ran into a problem and needs to restart. We’re just collecting some error info and then we’ll restart for you (0% complete).”

The BSoD-triggering patch was really an embarrassment for Microsoft and it quietly told customers to uninstall the MS14-045 update.

Now, after testing the patches against its huge codebase, Microsoft Security Response Center (MSRC) came up with a security fix and the update is available once again for download, but now known as KB2993651.

So, if you have KB2982791 installed, we recommend you to uninstall it and download KB2993651 instead. You don't necessarily have to uninstall the old update, but it is highly recommended you to do so.

Those who have not enabled automatic updates are advised to visit the Microsoft site and download the patch manually, as soon as possible.

Hackforums - one of the popular hacking forum in the world - has been hacked and defaced by the famous Egyptian hacker with the online handle Eg-R1z.

HackForums is popular among both whitehats and blackhats. On one end of the spectrum, HackForums helps over 110,000 hacking community members to remove dangerous malware off of their computers, as well as promotes research and learning of various malwares.

But on the other end, it servers as a great platform for hackers and cyber thieves as well, who posts infected material in order to victimize others. The website is hosted in Europe on a server and expected to be earning an estimated $7,316 USD on a daily basis.

Last night, hackforums.net went dark with a defacement message that reads:

It is still unclear, how hacker managed to get into server and which type of vulnerability or weakness has been exploited. But, it seems that the hacker just exploited some flaw and defaced the website and then hosted the image on hacked server which was displayed on the defaced page.

Reason behind the defacement of the website is still unknown, but with the deface message, one can predict that the hacker is warning the HackForums admin about security.

The forum was unavailable for few hours last night, but at the time of writing, the site was back to its normal form, but site performance is still facing some issues. You can check the defacement mirror of the hack at Zone-h as a Proof of Hack.

It’s not first time HackForums website got hacked. In past, HackForums website was also hacked by various hackers with online handles imLulzPirate, b0x, SYRIAN-HACKER and KTN.

Routers manufactured and sold by Chinese security vendor have a hard-coded password that leaves users with a wide-open backdoor that could easily be exploited by attackers to monitor the Internet traffic.

The routers are sold under the brand name Netcore in China, and Netis in other parts of the world, including South Korea, Taiwan, Israel and United States.

According to Trend Micro, the backdoor — a semi-secret way to access the device — allows cybercriminals the possibility to bypass device security and to easily run malicious code on routers and change settings.

Netis routers are known for providing the best wireless transfer speed up to 300Mbps, offering a better performance on online gaming, video streaming, and VoIP phone calling.

The Netcore and Netis routers have an open UDP port listening at port 53413, which can be accessed from the Internet side of the router. The password needed to open up this backdoor is hardcoded into the router’s firmware.

All of the routers – sold under the Netcore brand in China and as Netis outside of the country – appear to have the same password, Tim Yeh, threat researcher at the security firm, says warning that the backdoor cannot be changed or disable, essentially offering a way in to any attacker who knows the “secret” string.

Using the backdoor, hackers could upload or download hostile code and even modify the settings on vulnerable routers in order to to monitor a person’s Internet traffic as part of a so-called man-in-the-middle (MitM) attack.

The researchers scanned the Internet and had indicated that millions of devices worldwide are potentially vulnerable.

“Using ZMap to scan vulnerable routers, we found more than two million IP addresses with the open UDP port,” Yeh wrote in a blog post. “Almost all of these routers are in China, with much smaller numbers in other countries, including but not limited to South Korea, Taiwan, Israel, and the United States.”

Exploiting this flaw is not too difficult, as a simple port scan can reveal the open UDP ports to anyone using such an online tool.

In addition, Trend Micro also found that a configuration file containing a username and password for the web-based administration panel on the router is stored with no encryption protection, allowing an attacker to download it.

“Users have relatively few solutions available to remedy this issue. Support for Netcore routers by open source firmware like dd-wrt and Tomato is essentially limited; only one router appears to have support at all. Aside from that, the only adequate alternative would be to replace these devices,” advises Yeh.

Along with the release of Chrome 37 for Windows, Mac, and Linux, Google today also released a long-awaited 64-bit stable version of its Chrome browser for Windows systems. The company has been working on the 64-bit support for Windows 7 and Windows 8 since June.

Back in June, Google first released Chrome 64-bit only in the browser’s Dev and Canary channels. Then in July, the beta channel received the same update, and now, finally Chrome 64-bit is available in the stable channel.

The new 64-bit version of Chrome offers three main advantages:

Speed

Security

Stability

Therefore, for those of you on a compatible 64-bit system, this new version will offer faster performance as well as security and stability enhancements in comparison to 32-bit version. But, Chrome 64-bit is still an opt-in process. So, if you want to take advantage of it, you can hit the new “Windows 64-bit” download link over at google.com/chrome.

SPEED ENHANCEMENT

Google claims that certain media and graphics workloads in particular are faster in speed with Chrome 64-bit version. The company gives an example of VP9 video decoding — used for some YouTube high-definition streams — being 15 percent faster compared to 32-bit variant as a result, said Chrome team programmer Will Harris in a blog post.

The 64-bit of Chrome version is faster because it leverages optimizations made to processor and compilers, has a more modern instruction set compared to the 32-bit edition, and a calling convention that allows more function parameters to be passed quickly by registers.

SECURITY ENHANCEMENT

The security of the systems have also been improved in the 64-bit version by having access to a larger pool of memory.

Since, Windows has a built-in security feature called ASLR (Address Space Layout Randomization) which makes bug exploits harder to write by randomizing the location of items such as DLLs in memory. Because the new version have much more memory available, bug exploits are difficult to create, and with more memory to work with, the process becomes even harder.

STABILITY ENHANCEMENT

The Search engine giant also says that with 64-bit version of the browser, stability has also improved, being "twice as stable" as its 32-bit equivalent.

While testing beta versions of Chrome 64-bit, the development team found that the Chrome browser crashes around half as often as the 32-bit version when processing web content.

WHATS WRONG WITH 64-BIT VERSION OF BROWSER?

As every new feature comes with some negative impacts as well. Chrome 64-bit version might has a few possible drawbacks, of which the most significant one being no support for 32-bit NPAPI plugin that was found in the 32-bit browser

This means that some browser plugins, including both Silverlight and Java, will not work in the new version. Google intends to remove 32-bit NPAPI support at some point in the future, so this drawback will not be permanent.

CHROME 37 — WHAT’S NEW?

The Chrome 37 update also marks the stable release for Windows, Mac and Linux, the official change log provided by Google lists the following tweaks:

DirectWrite support on Windows for improved font rendering.

A number of new apps/extension APIs.

Lots of under the hood changes for stability and performance.

The Chrome 37 update will happen automatically for most users, however if you want to get the 64-bit version, you will have to manually download the variant from the browser's website.

More than half of South Korea's 50 million population aged between 15 and 65 have been affected in a massive data breach, compromising their personal information.

The data breach came to light when 16 individual were arrested following the theft of about 220 million stolen records from a number of online game, ringtone storefronts and movie ticket sites that contains personally identifiable information related to 27 million victims.

The stolen records included actual name, account name, password and resident registration number of the victims, According to the English version of a Seoul-based daily newspaper, the Korea Joongang Daily.

Among 16 perpetrators, the South Jeolla Provincial Police Agency arrested a 24-year-old man named ‘Kim’ , for allegedly obtaining and selling all 220 million personal information including names, registration numbers, account names, and passwords, from a Chinese hacker he met through an online game in 2011.

Police estimated the breach caused in secondary damages alone is nearly $2 million. Also, Kim hacked into a total of 6 online video games in South Korea using the stolen information, from which he allegedly stole almost $400,000. Kim reportedly gave $130,000 cut of the money to the Chinese hacker whom he initially acquired the information from.

The stolen information was sold for prices ranging from US$0.001 to US$20 per item depending on whether the buyer is a thief or illegal gaming advertiser, the police said. Authorities claim Kim went on to sell the personal information to mortgage fraudsters and “illegal gambling advertisers” for for 10 to 300 won, or a fraction of a U.S. dollar. Those swindlers and advertisers duped hundreds of South Koreans between September 2012 and November 2013.

Online gaming is wildly popular in South Korea, so the stolen information is of much use for the buyers. They used those credentials to steal in-game currency and other game-related items from online gaming accounts and sold off to other players at a much higher rates.

It is estimated that the hackers have used a hack tool dubbed "extractor" that would log into user accounts and steal the information. Although, the authorities are investigating how the stolen information has been circulating and is in the middle of pursuing seven other suspects, including the Chinese hacker.

The breach was really bad, but it isn’t the first time that Internet users in South Korea are suffering from a massive data breach. The more damaging data breach occurred in 2011, in which 35 million people of the country were exposed after hackers broke into the database South Cyworld, a South Korean social media site and the search engine Nate portal.

Earlier this year, 20 million South Koreans were impacted by a data breach caused by an employee of the Korea Credit Bureau, who copied their PII onto an external drive over a period of 18 months.

As far sci-fi movies have been entertaining the public, but their ideas have always been a matter of adoption in real life. Just like in any other sci-fi movie, simply touching a laptop can be enough to extract the cryptographic keys used to secure data stored on it.

A team of computer security experts at Tel Aviv University (Israel) has come up with a new potentially much simpler method that lets you steal data from computers — Just Touch it — literally.

WAYS TO ATTACK ENCRYPTION

There are different ways of attacking encryption systems. On one side, there are security vulnerabilities and weakness in the encryption algorithms themselves that make it possible to figure out the cryptographic keys.

On the other side, there are flaws and weaknesses in the people themselves that make it easier than it should be to force them to offer up the keys to decrypt something. But, Flaws and weaknesses in neither of which is necessarily quick or easy to find out, as there are several dependencies.

TOUCH AND VICTIMIZE ANY COMPUTER

According to Eran Tromer, Daniel Genkin, and Itamar Pipman, computer security experts at Tel Aviv University, using a simple electrical trick is enough for sophisticated hackers to gain access to thousands of encrypted keys through solely touching the chassis of the computer.

Access to encrypted keys could be used to make hundreds of digital signatures used all the time by people when creating passwords, signing contracts, or perhaps most importantly, using credit and debit cards online.

In order to victimize any computer, all you need to do is wear a special digitizer wristband and touch the exposed part of the system. The wristband will measure all the tiny changes in the ground electrical potential that can reveal even stronger encryption keys, such as a 4,096-bit RSA key.

In fact, in some cases, you don't even have to touch the system directly with your bare hands. You can intercept encryption keys from attached network and video cables as well. Researchers called it a side-channel attack.

"Our attacks use novel side channels and are based on the observation that the 'ground' electric potential in many computers fluctuates in a computation-dependent way," the researchers wrote their finding on a paper [PDF]. "An attacker can measure this signal by touching exposed metal on the computer's chassis with a plain wire, or even with a bare hand. The signal can also be measured at the remote end of Ethernet, VGA or USB cables."

The researchers also note that this attack works better in hot weather, due to the lower resistance of sweaty fingers. The team will present their research in a talk titled Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks On PCs, at Workshop on Cryptographic Hardware and Embedded Systems 2014 (CHES 2014) in Korea, on September 23th.

The actual attack can be performed quickly. According to the research, "despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using medium frequency signals (around 2 MHz), or one hour using low frequency signals (up to 40 kHz)."

The team could retrieve keys from multiple test machines running a popular open source encryption software called GnuPG, which implements the OpenPGP standard. The end results are mind-blowing, as the researchers write:

Using GnuPG as our study case, we can, on some machines:

distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and

fully extract decryption keys, by measuring the laptop's chassis potential during decryption of a chosen ciphertext.

Although, the information retrieval was better when used with high-end lab equipment. The researchers also have successfully executed this attack by using a smartphone connected to Ethernet shielding via its headphone port, which they found sufficient in some scenarios.

The good news is that there is nothing to worry about overly grabby strangers stealing your data just yet, because the technique primarily focuses on GnuPG's encryption software, which already got a patch ready to fix the problem to limit the effects. Attackers also have to monitor the electricity changes during the decryption process, so they get hold of your data, which isn't quite easy.

The United States National Security Agency (NSA) is using a massive information sharing platform that allows multiple law enforcement agencies to infiltrate more than 850 billion communications records detailing e-mails, phone calls, instant messages, and phone geolocation, according to the classified documents disclosed by former intelligence contractor Edward Snowden.

The NSA has built ICREACH, a Google-like search engine that secretly provides data — metadata of both foreigners and citizens on US soil — to nearly two dozen U.S. government agencies, including the DEA, FBI, and CIA, The Intercept reported.

Many of those surveilled data had not been accused of any illegal activity as well. But until now, it is unclear that exact what mechanism was used by the US intelligence agency to share the massive amounts of surveillance data, as well as number of government agencies it was sharing information with.

Although, the classified documents show that the FBI and the Drug Enforcement Administration were the "key participants" in the ICREACH program, but it has been accessible to more than 1,000 analysts at 23 U.S. government agencies that perform intelligence work.

According to The Intercept journalist Ryan Gallagher, ICREACH search engine, masterminded by recently retired NSA Director Gen. Keith Alexander, was launched by the NSA in 2007, but was only made publicly available on Monday this week.

Knowing those 850 billion metadata shared through ICREACH program, one can track people’s movements, map out their networks of associates, predict future actions, and potentially reveal religious affiliations or political beliefs.

The NSA described the ICREACH program as a “one-stop shopping tool” for communications analysis, which generates a portrait of communication patterns associated with a particular piece of information, like a phone number or e-mail address linked to a person.

ICREACH was designed to pull information stored in multiple databases created by programs greenlit under Executive Order 12333 — a President Reagan-issued order vastly expanding the data-collection powers of the American intelligence community from foreign communications networks, though the report claims that the system also contains "millions of records on American citizens who have not been accused of any wrongdoing."

It’s been a bad weekend for Sony Playstation. The entire PlayStation Network was down much of the day after a dedicated distributed denial-of-service (DDoS) attack by online attackers, which left the network inaccessible to users.

It's possible that EVE Online and Guild Wars 2 have also been hit by the attackers. Developers on the EVE Online forums have announced DDoS issues, and many users on the Guild Wars 2 forums have been reporting login issues.

Sony’s PlayStation Network is an online service that connects PlayStation 3 and PlayStation 4 video game consoles to the Internet and to over-the-top video services such as Netflix.

What’s weird about this attack is that it also includes a security threat against the American Airlines plane in which the President of Sony Online Entertainment, John Smedley, was traveling today. The aircraft along with a full load of passengers was diverted to Phoenix due to a bomb threat.

WHO BRING DOWN SONY PLAYSTATION NETWORK?

Two separate hacker groups, Lizard Squad and Famed God, took to social media, Twitter and YouTube, respectively, to claim responsibility for the DDoS attack on the entertainment company, which, according to Sony, inflicted an "artificially high" amount of traffic on the PlayStation Network and Sony Entertainment Network.

EXPLOSIVES IN AIRPLANE

At 1.30 p.m. ET, the Lizard Squad took group posted on Twitter that an American Airlines plane, with Sony Online Entertainment president John Smedley on board, had explosives, which caused the grounding of American Airlines flight 362 by way of a bomb threat on Twitter. The flight has since been sent safely on its way.

Smedley later confirmed that his flight flying from Dallas to San Francisco was being diverted to Phoenix, Arizona. "Flight diverted to Phoenix for security reasons," he said. "Something about the security and our cargo. Sitting on Tarmack."

According to the company, no personal information had been leaked in the attack, but the rolling outage persists in various places, some ten hours or more after the attack began.

"Like other major networks around the world, the PlayStation Network and Sony Entertainment Network have been impacted by an attempt to overwhelm our network with artificially high traffic," Sid Shuman wrote on Sony's official blog.

"Although this has impacted your ability to access our network and enjoy our services, no personal information has been accessed. We will continue to work towards fixing this issue and hope to have our services up and running as soon as possible. We regret any inconvenience this may have caused."

The Federal Bureau of Investigation is investigating the flight incident, Kotaku reported. At the time of writing, the reasons for the attack are still unclear and also there has been no confirmation that the two incidents are connected, but a final tweet by Smedley indicates that he believes it was not a coincidence.

UPDATEInitially, the two separate groups claimed the responsibility of the attack, but FAMEGod, the same member of Anonymous group who was behind famous "2011 PSN Outage," revealed the IPs addresses of Lizard Squad members as a proof that he was behind it.

FameGod threatened to attack Microsoft Corp's Xbox Live network as his next Hacking Project under codename "Project Micro" and added, “See atleast Xbox and Microsoft are smart and dont operate on one datacenter. Sony your f**king aids.”

Some users said they had problems accessing Xbox Live network on Sunday, but Xbox spokesman David Dennis told Reuters, "We don't comment on the root cause of a specific issue, but as you can see on Xbox.com/status, the core Xbox LIVE services are up and running".

A group of security researchers has successfully discovered a method to hack into six out of seven popular Smartphone apps, including Gmail across all the three platforms - Android, Windows, and iOS operating systems - with shockingly high success rate of up to 92 percent.

Computer scientists the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a new weakness they believe to exist in Android, Windows, and iOS platforms that could allow possibly be used by hackers to obtain users’ personal information using malicious apps.

The team of researchers - Zhiyun Qian, of the University of California, Riverside, and Z. Morley Mao and Qi Alfred Chen from the University of Michigan - will present its paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks" (PDF), at the USENIX Security Symposium in San Diego on August 23.

The paper detailed a new type of hack method, which they call a UI [user interface] state interference attack - running the malicious app in the background without users’ knowledge. You can watch some short videos of the attacks in action below.

Although, the researchers demonstrated the hack using an Android device, but they believe that the same method could be used across all three operating system platforms because when a users download multiple number of apps to their smartphone devices, the apps are all running on the same shared platform, or operating system.

"The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at UC Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

Therefore users leave themselves open to such attacks as an Android phone allows itself to be hijacked or pre-empted. According to the team, the method could allow a hacker to steal a user's password, social security number, peek at a photo of a check on a banking app, or swipe credit card numbers and other sensitive data. The team tested and found some of apps including WebMD, Chase and Gmail vulnerable.

Demonstrating the method of attack on an Android device, an unsigned app such as a wallpaper changer carrying malicious code is first installed on the user's phone. Once installed, an attacker can use it to access an entry point that the researchers call a "shared-memory side channel" - exists in nearly all popular Graphical User Interface (GUI) systems - of any process, which doesn't require any special privileges.

The researchers then monitor the changes in this shared memory and were able to determine specific "activity transition events" like a user logging into Gmail, H&R Block or taking a picture of a cheque to deposit it online via Chase Bank.

In all the team tried to access seven apps, out of which six were easily hacked. Gmail and H&R Block were easiest to the hack with a success rate of 92 percent. On the other hand, Amazon was by far the hardest with just a 48 percent success rate.

"The Amazon app case indicates that our inference method may not work well if certain features are not sufficiently distinct, especially the major contributors such as the transition model and the network event feature," the researchers write in the paper.

Using a few other side channels, the team was able to accurately detect what a user was doing in real-time on app. Because this security hole is not unique just to Android, so the hack could presumably be used in iOS and Windows as well, the researchers say.

A successful attack requires two things:

First, the attack needs to take place at the exact moment that the user is performing the action.

Second, the attack needs to be conducted in such a way that the user is unaware of it.

The team managed to pull this off by carefully timing the attacks.

"We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen," said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. "It's seamless because we have this timing."

At USENIX Security Symposium, the researchers would recommend methods to try and eliminate the side channel, and would suggest more secure system designs, the team said in the paper. But even if you're want to keep yourself safe from an attack like this, it's always a good practice to be very careful about the apps you download onto your phone — especially apps from unofficial sources.

Till now, a number of large technology companies have bug bounty programs to reward researchers and cyber enthusiast who contribute in the security of Internet by finding out security holes in software or web platforms, and the social networking giant Facebook is the latest one to do so.

Facebook and Usenix have together implemented the Internet Defense Prize — an award recognizing superior quality research that combines a working prototype with great contributions to securing the Internet, Facebook announced Thursday at the annual USENIX Security Symposium in San Diego.

Also, Facebook announced the first award under its Internet Defense Prize, and crowned a pair of German researchers for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications” — a seemingly viable approach to detecting vulnerabilities in web applications.

The duo used static approach to detect “Second-order vulnerabilities” in web applications that are used to impose harm after being stored on the web server ahead of time. Second-order vulnerabilities involve uploading malicious script/payload to the targeted web servers, allowing an attacker to exploit it remotely.

“For example, XSS attacks that target the application’s users are worse if the payload is stored in a shared resource and distributed to all users,” paper explained.

It is very difficult to detect Second-order vulnerabilities when analyzing the source code statically, but "By analysing reads and writes to memory locations of the web server, we are able to identify unsanitized data flows by connecting input and output points of data in persistent data stores such as databases or session data," said researchers, who revealed 159 second-order vulnerabilities in six popular web applications including several critical zero-day holes.

The researchers, Johannes Dahse and Thorsten Holz of Ruhr University in Bochum, Germany, received $50,000 prize money by an award committee made up of Facebook and USENIX representatives. The committee saw a "clear path" for using the money to build the research into technology that could be implemented in the real world.

The Internet Defense Prize is an ongoing program and the committee is soliciting new entries for a future prize, according to John “Four” Flynn, a security engineering manager at Facebook who served on the Award Committee for the Internet Defense Prize.

"We decided to focus on creating greater opportunities and incentives for researchers to produce work that actually protects people," Flynn wrote in a blog post. "Our answer is the Internet Defense Prize, an award to recognize superior quality research that combines a working prototype with significant contributions to the security of the internet — particularly in the areas of protection and defense."

The committee is inviting researchers and security enthusiasts to submit their work to Facebook for consideration to be a future recipient of the Internet Defense Prize, and said that the award amount may increase depending on the strength of the submission, or it may hold onto the funds if no project meets the bar.

Last November, Facebook has also helped create the Internet Bug Bounty, similar to the Internet Defense Prize, in order to reward researchers for finding large-scale Internet vulnerabilities in open source software projects. The Internet Bug Bounty is hosted by HackerOne, which also includes other large companies such as Microsoft and Google.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Pebble, a wristwatch that can connect to your phone - both iOS and Android - and interact with apps, has a hard-coded vulnerability that allows a remote attacker to destroy your Smartwatch completely.

Pebble Smartwatch, developed and released by Pebble Technology Corporation in 2013, is considered as one of the most popular SmartWatches that had become the most funded project in the history of Kickstarter. Just two hours after its crowd-funding campaign launched, Pebble had already surpassed its $100,000 goal and at last had reached over $10.25 million pledged by nearly 70,000 Kickstarter backers.

A security enthusiast Hemanth Joseph claimed to have found that his Pebble SmartWatch with the latest v2.4.1 Firmware can be remotely exploited by anyone with no technical knowledge in order to delete all data stored in the device, apps, notes, and other information stored in it.

HOW PEBBLE SMARTWATCH WORKS

Before proceeding towards how he did this, let me explain how Pebble works, in an effort to make the attack more clear. When Pebble Smartwatch is connected to an Android or iOS phone, it will give a Vibrating alert to every messages from Whatsapp or Facebook or related apps with the whole message displayed on its screen.

When we talk about messages, there is no character limit established. If you get a lengthy message, say of 100 word or more, from Whatsapp or any other messaging app, Pebble will show the whole message in its small screen — and that’s the hole Joseph exploited.

ATTACK SCENARIO

Joseph tried sending 1500 messages in 5 seconds and noticed that his Pebble screen became filled with lots of lines and soon after it got Switched off itself automatically and executed a Factory Reset.

“Due to that automatic Factory Reset I lost all my Apps and other data’s which I was having in my Pebble,” Joseph wrote in his blog post. “The same occurred even when I decreased the no. of messages to 300 in 5 sec.”

Anyone with your Facebook Id or even mobile number can exploit this denial-of-service (DoS) bug to remotely delete all your data stored in your Pebble, just with the help of a series of Small Message Bomb.

DoS attack is that where an attacker sends a large number of requests to the target device in order to overload its capacity of handling maximum number of request at a time.

IMPACTS OF DoS ATTACK

He noticed different impacts of DoS attacks on different wearable devices. In some cases, the device will:

crashed and reboot

crashed, reboot and factory reset

Unfortunately, Joseph get his Pebble Smartwatch permanently damaged after number of experiments, but he gave a solution to this problem that the company should give a Character limit while showing apps’ messages on the screen and also recommended Pebble to remove the Automatic Factory Reset.

PEBBLE RESPONDED

When he approached Pebble regarding the issue, the company replied, “After the freezing of your Pebble you will see a lot of white straight lines all over the screen. We can’t make it back to a working condition by simply Switching it off we MUST do a Factory Reset in order to make it working again . So it is sure that all your data will be Deleted if your pebble gets a DoS!”

HACKER TO LIVE DEMONSTRATE WHATSAPP DoS ATTACK

Two young security enthusiasts will demonstrate a possible large scale DoS attack remotely on Whatsapp Users at ‘The Hackers Conference’ 2014.

As mentioned in the paper abstract, Ashwin Thawrani and Rajat Agarwal have identified a serious vulnerability in the most popular messaging application “WhatsApp” that could allow them to permanently crash users’ application installed on the Smartphone devices.

The Hackers Conference will be held in New Delhi, on the August 30th, 2014 in the presence of Industry leaders, Government representatives and underground Black-hat hackers.

The United States division of Samsung has been charged with deceiving the US government into believing that several of its products met the necessary US government policies, resulting in the US government buying unauthorised Chinese-made electronics.

The South Korean electronics giant has agreed to pay the Government $2.3 million in fines to settle the charges of violating trade agreements, the Justice Department announced Tuesday.

Under federal contracting rules, Government agencies are only required to purchase products made in the United States or in countries that have a trade agreement with the United States.

Federal agencies purchased products from Samsung through authorised resellers, believing they were manufactured in South Korea or Mexico, comply with government procurement rules — namely the US trade agreement act.

SAMSUNG LIED TO U.S GOVERNMENT

Despite complying with the terms of the contract, Samsung was found to have breached the US government between the year 2005 and 2013 by providing the resellers “inaccurate information” about the country of origin of the products and supplying those products that they claimed to have produced in Mexico or South Korea, but were actually manufactured in China, which is not part of the agreement.

According to the Justice department, this settlement is not an admission of liability by Samsung. Samsung has yet to comment on the settlement.

“This settlement upholds important trade priorities by ensuring that the United States only uses its buying power to purchase from countries that trade fairly with us,” Stuart F. Delery, the Assistant Attorney General for the Justice Department’s Civil Division, said in a statement on Tuesday.

The settlement was a joint effort by the U.S. Attorney’s Office for the District of Maryland, the commercial litigation branch of the Justice Department’s civil division and the General Service Administration inspector general.

This matter came to light after a former Samsung employee, Robert Simmons, shared the information with the United States federal agency, under whistleblower provisions in the False Claims Act. The act allows whistleblowers to sue for false claims on behalf of the US and to share in its recovery. Of course, he will be rewarded with a portion of the settlement amount by the US government for alerting them about the issue.

WITH LOVE — FROM CHINA

The United States has an increasingly distrustful relationship with both China and with leading Chinese tech firms. Networking giant Huawei has effectively closed down its American presence after scrutiny of US lawmakers and regulators who believe that Huawei’s alleged put backdoors for the Chinese government.

In 2012, US government banned its federal agencies to use chinese products that could pose a threat to US national-security interests.

China hit back, after the former NSA contractor Edward Snowden leaked several documents about the United States world-wide surveillance program and pressured its domestic banks to replace high-end IBM servers with similar equipment manufactured within the country.

The country also banned the procurement of technology from a number of foreign firms, including Microsoft, Apple, Symantec and Kaspersky.

Hacking Internet of Things (IoTs) have become an amazing practice for cyber criminals out there, but messing with Traffic lights would be something more crazy for them.

The hacking scenes in hollywood movies has just been a source of entertainment for the technology industry, like we've seen traffic lights hacked in Die Hard and The Italian Job, but these movies always inspire hackers to perform similar hacking attacks in day-to-day life.

Security researchers at the University of Michigan have not only hacked traffic light signals in real life, but also claimed that it’s actually shockingly easy to perform by anyone with a laptop and the right kind of radio. If we compare the traffic light hacks in movies and real life, the reality is much easier.

In a paper study published this month, the security researchers describe how a series of major security vulnerabilities in traffic light systems allowed them to very easily and very quickly seized control of the whole system of at least 100 traffic signals in an unnamed Michigan city from a single point of access.

Researchers took permission from a local road agency before performing the hack, but they did not disclose exactly where in Michigan they did their research.

‟Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” the paper explained.

SECURITY HOLES IN TRAFFIC LIGHT SYSTEMS

The team, led by University of Michigan computer scientist J. Alex Halderman, said that the networked traffic systems are left vulnerable to three major weaknesses:

unencrypted radio signals,

the use of factory-default usernames and passwords, and

a debugging port that is easy to attack

This left the network accessible to everyone from cyber criminals to young hackers.

“The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness,” the researchers report in a paper.

In an effort to save on installation costs and increase flexibility, the traffic light system makes use of wireless radio signals rather than dedicated physical networking links for its communication infrastructure - this hole was exploited by the researchers. Surprisingly, more than 40 states currently use such systems to keep traffic flowing as efficiently as possible.

“The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case,” the team said. “We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. We leveraged these flaws to create attacks which gain control of the system, and we successfully demonstrate them on the deployment.”

WIRELESS SECURITY IN QUESTIONS

The Traffic light systems use a combination of 5.8GHz and 900MHz radio signals, depending on the conditions at each intersection, for wireless communication in point-to-point or point-to-multipoint configurations. The 900MHz links use "a proprietary protocol with frequency hopping spread-spectrum (FHSS)," but the 5.8GHz version of the proprietary protocol isn't terribly different from 802.11n.

The researchers says that anyone with a laptop and a wireless card operating on the same frequency as the wirelessly networked traffic light — in this case, 5.8 gigahertz — could access the entire unencrypted network.

DEBUG PORT

Now, after gaining access, next was to communicate with one of the controllers in their target network. This was done very easily due to the fact that this system’s the control boxes run VxWorks 5.5, a version which by default gets built from source with a debug port left accessible for testing.

“By sniffing packets sent between the controller and this program, we discovered that communication to the controller is not encrypted, requires no authentication, and is replayable. Using this information, we were then able to reverse engineer parts of the communication structure,” the paper reads.

“Various command packets only differ in the last byte, allowing an attacker to easily determine remaining commands once one has been discovered. We created a program that allows a user to activate any button on the controller and then displays the results to the user. We also created a library of commands which enable scriptable attacks. We tested this code in the field and were able to access the controller remotely.”

This debug port allowed researchers to successfully turned all lights red or alter the timing of neighboring intersections — for example, to make sure someone hit all green lights on a given route.

More worrying part is the ability of a cyber criminal to perform denial-of-service (DoS) attack on controlled intersections by triggering each intersection’s malfunction management unit by attempting invalid configurations, which would put the lights into a failure mode.

SOLUTION TO PROBLEM

At last, the team called for manufacturers and operators to improve the security of traffic infrastructure. It recommended that the traffic-system administrators should not use default usernames and passwords, as well as they should stop broadcasting communications unencrypted for “casual observers and curious teenagers” to see.

"While traffic control systems may be built to fail into a safe state, we have shown that they are not safe from attacks by a determined adversary," the paper concluded.

Moreover, they also warned that devices like voting machines and even connected cars could suffer similar attacks.

Network security practitioners rely heavily on intrusion detection systems (IDS) to identify malicious activity on their networks by examining network traffic in real time. IDS are available in Network (NIDS) and Host (HIDS) forms, as well as for Wireless (WIDS). Host IDS is installed via an agent on the system you are monitoring and analyzes system behavior and configuration status. Network IDS inspects the traffic between hosts to find signatures of suspicious behavior and anomalies. Wireless IDS identifies rogue network access points, unauthorized login attempts, encryption-level in use, and other anomalous behavior. There are many options for open source IDS tools if your budget for buying new tools is tight.

Asset inventory and vulnerability management go hand in hand with IDS. Knowing the role, function, and vulnerabilities of your assets will add valuable context to your investigations. AlienVault Unified Security Management (USM) includes IDS integrated with asset discovery and vulnerability scanning so you can quickly get all the information you need to respond to incidents.

AlienVault’s Network IDS shows you the overall status of your network for a management view:

Best practices for Network IDS:

Baselining or profiling normal network behavior is the first step for IDS deployment. Determining what’s “normal” for your network allows you to focus on anomalous and potentially malicious behavior. This saves you time and brings real threats to the surface quickly for remediation.

Placement of the IDS device is an important consideration. Most often it is deployed behind the firewall on the edge of your network. This gives the highest visibility but it also excludes traffic that occurs between hosts. The right approach is determined by your available resources. Start with the most obvious placement of the device, then over time you can provide additional IDS focus into less obvious areas. You should also consider having multiple IDS installations to cover intra-host traffic

You need to properly size your IDS installation by examining the amount of data that is flowing in BOTH directions where you wish to tap. Be sure to add overhead for future expansion.

False positives occur when your IDS alerts you to a threat that you know is innocuous. An improperly tuned IDS will generate an overwhelming number of false positives. Establishing a policy that removes known false positives will save time in future investigations and prevent unwarranted escalations. Tuning your IDS to report as few false positives as possible will make your life much easier, as you can focus on the more important issues with the least distraction possible.

AlienVault USM reduces false positives through the fidelity of its correlation rules. The AlienVault research team has a deep understanding of the data sources entering the correlation engine. This insight allows them to create accurate correlation rules based on actual behavior seen in the wild, as opposed to just guessing what you *might* have integrated like other products have to do. Furthermore, when alarms do occur, USM provides the rich context needed to make the determination of validity. You can spend less time swiveling in your chair from console to console, and focus on the incident.

The Alarm Taxonomy view in AlienVault USM allows you to quickly determine the priority of your investigations. Spend less time wondering what a Conficker or HeartBleed is and more time investigating infections or exploits.

Next, let’s look at best practices for Host IDS:

The default settings for which files to watch are not enough. The defaults for HIDS usually only monitor changes to the basic operating system files. They may not have awareness of applications you have installed or proprietary data you wish to safeguard.

Define what critical data resides on your assets and create policies to detect changes in that data

If your company uses custom applications, be sure to include the logs for them in your HIDS configuration

As with Network IDS, removing the occurrence of false positives is critical

If you have jailbroken your iPhone, iPad, or iPod touch and have downloaded pirated tweaks from pirated repositories, then you may be infected by “AdThief” malware, a Chinese malware that is now installed on more than 75,000 iPhone devices.

According to a recent research paper published on Virus Bulletin by the Security Researcher Axelle Apvrille, the malware, also known as "spad," was first discovered by security researcher Claud Xiao in March this year.

The malware allegedly infects iOS jailbroken devices by disguising itself as Cydia Substrate extension, presents only on jailbroken Apple devices, when a malware infected Cydia package is downloaded and installed by the unsuspecting user.

Once installed, the malware modifies certain advertisements displayed on your iOS devices in an effort to redirect all the revenues to malware developer. In short, if you download or install a free ad-supported iOS app from the App Store, all of the cash generated by that app goes to the cyber criminal behind AdThief rather than the app’s developer.

"In other words, each time you view or click an ad on an infected device, the corresponding revenue goes to the attacker, and not to the developer or the legitimate affiliate," Apvrille said. "[AdThief] hooks various advertisement functions and modifies the developer ID (promotion ID) to match that of the attacker."

Adthief has targeted advertisements from 15 popular mobile advertising networks, including Google’s AdMob and Mobile Ads, AdWhirl, MdotM, and MobClick, four of which were based in the US, two in India and the remainder in China.

The security researcher was able to identify the targets because the hacker mistakenly forgot to remove identifying information from the code. Further investigation allowed Apvrille to identify the coder who ran a blog providing details of various Android hacks, a Github and inactive Twitter account. Researcher located a Chinese vxer Rover 12421 who admitted writing the AdThief code but denied propagating it.

According to the researcher, the number of infected devices by the malware is small if compared to the figure of iOS devices in use, attackers likely generated significant revenue with an estimated 22 million advertisements hijacked.

The most important thing about this particular hack is that there is no way to find out if your device is infected by AdThief malware, because it runs in the background and is almost impossible to detect. Users of unmodified iOS devices need not to worry as they are safe from this malware infection.

Users of jailbroken Apple iOS devices are recommended to avoid downloads from untrusted repositories. Always be careful about adding new sources, and also be suspicious of those sources that promise pirated downloads of paid apps or tweaks.

Google has been involved in several controversies including among the companies that was claimed to cooperate with US surveillance agencies on their global data-mining programmes, and just yesterday the popular Media tycoon Rupert Murdoch labeled Google worse than the NSA, saying “NSA privacy invasion bad, but nothing compared to Google.”

Now another, but already known controversy over the Internet giant has raised many concerns over privacy of users who carry their smartphones with them. We all have sensors in our pockets that track us everywhere we go i.e. Smartphones.

GOOGLE TRACKS YOU EVERYWHERE YOU GO - LOCATION HISTORY

Today, with the help of these sensors, Google is tracking our every foot steps and placing a red dot on its map to keep track of users’ records, Junkee.com reports.

“You can yourself check your every move from here. You just need to log in with the same account you use on your Smartphone, that’s it. The map will display all the records of everywhere you've been for the last day to month on your screen,” Elizabeth Flux, editor of Voiceworks magazine wrote.

Location is one of the most sensitive elements in everyone’s life. Where people go in the evening, at vacations - every data is a part of one’s private life and the existence of that data creates a real threat to privacy. The absence of notifying users only means an ignorance to the privacy of users.

However, your records goes to the Google Location History only if you have enabled ‘location services’ in your smartphone devices. If you have disabled this service in your phone then you will find no location data on the map.

Infact, if users disable their devices’ location service, apparently it somehow go switched back ON, if in case, any app wants access to their GPS location. So, it’s quite difficult to remain at the safer track.

In 2009, MPs criticized the Internet giant Google for its "Latitude" system, which allowed people to enable their mobile to give out details of their location to trusted contacts. At the time MPs said that Latitude "could substantially endanger user privacy", but Google pointed out that users had to specifically choose to make their data available.

WHY TRACKING LOCATION?

Google tracks on users, long been said, for the purpose of targeted advertisements. But tracking opens the door to surveillance not only by advertisers but governments as well.

Many third parties already track smartphones and tablets location by picking up their user data for various purposes, mostly commercial or ad-related. Advertisers and retail stores can record location data about users in order to either serve certain location-related ads, or to better customize store layouts to maximize in-store impulse purchases.

TURN OFF LOCATION SERVICE

But, If Privacy matters you a lot, then turn Off location service or Location History on your device, and better avoid those apps that ask for your location data.

To disable the location service, select Settings > Privacy > Location and then untick the box next to Use my location.

After former NSA contractor Edward Snowden revealed about the Global Surveillance programs, Privacy has become an important issue for every individual. Despite implementing any ‘privacy’ settings, all our personal information is being collected and stored somewhere.